Split Permissions Model Reference

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic is designed to help you plan your split permissions model. It provides details about Microsoft Exchange Server 2007 permissions in the following sections:

  • Recipient Management

  • User-Related Tasks

  • Contact-Related Tasks

  • Group-Related Tasks

  • Dynamic Distribution List-Related Tasks

The tables in this topic list attributes by their Lightweight Directory Access Protocol (LDAP) display name and the name of their Exchange Management Shell property or the name of their location in the Exchange Management Console. If an attribute name is followed by text in parentheses, that text indicates the name as seen in Active Directory directory service interfaces, such as Active Directory Service Interfaces (ADSI) Edit. All references to user objects also apply to the inetOrgPerson object. However, the inetOrgPerson object is not specified because it is rarely used.

Note

To create the corresponding objects in the domain partition, you must be either a member of a privileged security group such as Account Operators or be granted the appropriate security permissions. For more information, see Best Practices for Delegating Active Directory Administration.

Recipient Management

In Exchange 2007, you can use the following administrative interfaces to manage recipients:

  • Exchange Management Console

  • Exchange Management Shell

The Exchange Management Console supports the following:

  • Enabling and disabling recipients

  • Managing several recipient-related properties

The Exchange Management Shell supports all aspects of the recipient.

The Exchange-related attributes are associated to user, inetOrgPerson, group, and contact class objects.

By granting an Exchange Administrator Read and Write access to the attributes that are associated with the tasks listed in this section, the administrator can perform a particular function, such as manage e-mail addresses.

You can be more specific in granting permissions. For example, the Exchange Administrator may be granted the ability to modify only the attributes that are associated with a particular function. For more information, see Planning and Implementing a Split Permissions Model.

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-User cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-User properties

Exchange Management Shell property Active Directory attribute

AssistantName

msExchAssistantName

City

l

Company

company

CountryOrRegion

countryCode; co; c

Department

department

CountryOrRegion

countryCode; co; c

DirectReports

directReports

DisplayName

displayName (Display Name)

Fax

facsimileTelephoneNumber

FirstName

givenName

HomePhone

homePhone

Initials

initials

LastName

sn

Manager

manager

MobilePhone

mobile

Name

name; cn

Notes

info

Office

physicalDeliveryOfficeName

OtherFax

otherFacsimileTelephoneNumber

OtherHomePhone

otherHomePhone

OtherTelephone

otherTelephone

Pager

pager

Phone

telephoneNumber

PhoneticDisplayName

msDS-PhoneticDisplayName

PostalCode

postalCode

PostOfficeBox

postOfficeBox

SimpleDisplayName

displayNamePrintable

StateOrProvince

st

StreetAddress

streetAddress

Title

title

TelephoneAssistant

telephoneAssistant

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-MailUser cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-MailUser properties

Exchange Management Shell property Active Directory attribute

AcceptMessagesOnlyFrom

authOrig

AcceptMessagesOnlyFromDLMembers

dLMemSubmitPerms

Alias

mailNickname (Alias)

CustomAttribute1

extensionAttribute1 (Custom Attribute 1)

CustomAttribute10

extensionAttribute10 (Custom Attribute 10)

CustomAttribute11

extensionAttribute11 (Custom Attribute 11)

CustomAttribute12

extensionAttribute12 (Custom Attribute 12)

CustomAttribute13

extensionAttribute13 (Custom Attribute 13)

CustomAttribute14

extensionAttribute14 (Custom Attribute 14)

CustomAttribute15

extensionAttribute15 (Custom Attribute 15)

CustomAttribute2

extensionAttribute2 (Custom Attribute 2)

CustomAttribute3

extensionAttribute3 (Custom Attribute 3)

CustomAttribute4

extensionAttribute4 (Custom Attribute 4)

CustomAttribute5

extensionAttribute5 (Custom Attribute 5)

CustomAttribute6

extensionAttribute6 (Custom Attribute 6)

CustomAttribute7

extensionAttribute7 (Custom Attribute 7)

CustomAttribute8

extensionAttribute8 (Custom Attribute 8)

CustomAttribute9

extensionAttribute9 (Custom Attribute 9)

DisplayName

displayName (Display Name)

EmailAddresses

proxyAddresses (Proxy Addresses)

EmailAddressPolicyEnabled

msExchPoliciesIncluded; msExchPoliciesExcluded

Extensions

proxyAddresses (Proxy Addresses)

ExternalEmailAddress

targetAddress

GrantSendOnBehalfTo

publicDelegates

HiddenFromAddressListsEnabled

showInAddressBook; msExchHideFromAddressLists

MacAttachmentFormat

internetEncoding

MaxReceiveSize

delivContLength

MaxSendSize

submissionContLength

MessageBodyFormat

internetEncoding

MessageFormat

internetEncoding

Name

name; cn

PrimarySmtpAddress

mail (E-Mail Address)

RecipientLimits

msExchRecipLimit

RejectMessagesFrom

unauthOrig

RejectMessagesFromDLMembers

dLMemRejectPerms

RequireSenderAuthenticationEnabled

msExchRequireAuthToSendTo

SecondaryAddress

proxyAddresses (Proxy Addresses)

SecondaryDialPlan

proxyAddresses (Proxy Addresses)

SimpleDisplayName

displayNamePrintable

UMDTMFMap

msExchUMDtmfMap

UseMapiRichTextFormat

mAPIRecipient

UsePreferMessageFormat

internetEncoding

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-Mailbox cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-Mailbox properties

Exchange Management Shell property Active Directory attribute

AcceptMessagesOnlyFrom

authOrig

AcceptMessagesOnlyFromDLMembers

dLMemSubmitPerms

Alias

mailNickname (Alias)

AntispamBypassEnabled

msExchMessageHygieneFlags

ApplyMandatoryProperties

msExchVersion; msExchRecipientDisplayType; msExchRecipientTypeDetails

CustomAttribute1

extensionAttribute1 (Custom Attribute 1)

CustomAttribute10

extensionAttribute10 (Custom Attribute 10)

CustomAttribute11

extensionAttribute11 (Custom Attribute 11)

CustomAttribute12

extensionAttribute12 (Custom Attribute 12)

CustomAttribute13

extensionAttribute13 (Custom Attribute 13)

CustomAttribute14

extensionAttribute14 (Custom Attribute 14)

CustomAttribute15

extensionAttribute15 (Custom Attribute 15)

CustomAttribute2

extensionAttribute2 (Custom Attribute 2)

CustomAttribute3

extensionAttribute3 (Custom Attribute 3)

CustomAttribute4

extensionAttribute4 (Custom Attribute 4)

CustomAttribute5

extensionAttribute5 (Custom Attribute 5)

CustomAttribute6

extensionAttribute6 (Custom Attribute 6)

CustomAttribute7

extensionAttribute7 (Custom Attribute 7)

CustomAttribute8

extensionAttribute8 (Custom Attribute 8)

CustomAttribute9

extensionAttribute9 (Custom Attribute 9)

DeliverToMailboxAndForward

deliverAndRedirect

DisplayName

displayName (Display Name)

EmailAddresses

proxyAddresses (Proxy Addresses)

EmailAddressPolicyEnabled

msExchPoliciesIncluded; msExchPoliciesExcluded

EndDateForRetentionHold

msExchELCExpirySuspensionEnd

Extensions

proxyAddresses (Proxy Addresses)

ExternalOofOptions

msExchExternalOOFOptions

ForwardingAddress

altRecipient

GrantSendOnBehalfTo

publicDelegates

HiddenFromAddressListsEnabled

msExchHideFromAddressLists; showInAddressBook

IssueWarningQuota

mDBStorageQuota

Languages

msExchUserCulture

LinkedMasterAccount

msExchMasterAccountSid

ManagedFolderMailboxPolicy

msExchMailboxTemplateLink

MaxBlockedSenders

msExchMaxBlockedSenders

MaxReceiveSize

delivContLength

MaxSafeSenders

msExchMaxSafeSenders

MaxSendSize

submissionContLength

Name

name; cn

Office

physicalDeliveryOfficeName

OfflineAddressBook

msExchUseOAB

PrimarySmtpAddress

mail (E-Mail Address)

ProhibitSendQuota

mDBOverQuotaLimit

ProhibitSendReceiveQuota

mDBOverHardQuotaLimit

RecipientLimits

msExchRecipLimit

RejectMessagesFrom

unauthOrig

RejectMessagesFromDLMembers

dLMemRejectPerms

RequireSenderAuthenticationEnabled

msExchRequireAuthToSendTo

ResourceCapacity

msExchResourceCapacity

ResourceCustom

msExchResourceSearchProperties; msExchResourceDisplay

RetainDeletedItemsFor

garbageCollPeriod

RetainDeletedItemsUntilBackup

deletedItemFlags

RetentionHoldEnabled

msExchELCMailboxFlags

RulesQuota

msExchMDBRulesQuota

SCLDeleteEnabled

msExchMessageHygieneSCLDeleteThreshold

SCLDeleteThreshold

msExchMessageHygieneSCLDeleteThreshold

SCLJunkEnabled

msExchMessageHygieneSCLJunkThreshold

SCLJunkThreshold

msExchMessageHygieneSCLJunkThreshold

SCLQuarantineEnabled

msExchMessageHygieneSCLQuarantineThreshold

SCLQuarantineThreshold

msExchMessageHygieneSCLQuarantineThreshold

SCLRejectEnabled

msExchMessageHygieneSCLRejectThreshold

SCLRejectThreshold

msExchMessageHygieneSCLRejectThreshold

SimpleDisplayName

displayNamePrintable

StartDateForRetentionHold

msExchELCExpirySuspensionStart

Type

nTSecurityDescriptor; userAccountControl; msExchMailboxSecurityDescriptor; msExchUserAccountControl; msExchRecipientDisplayType; msExchRecipientTypeDetails; msExchResourceDisplay; msExchResourceSearchProperties; msExchResourceMetaData; msExchMasterAccountSid; showInAddressBook

UMDtmfMap

msExchUMDtmfMap

UseDatabaseQuotaDefaults

mDBUseDefaults

UseDatabaseRetentionDefaults

deletedItemFlags

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-CASMailbox cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-CASMailbox properties

Exchange Management Shell property Active Directory attribute

ActiveSyncAllowedDeviceIDs

msExchMobileAllowedDeviceIDs

ActiveSyncDebugLogging

msExchMobileDebugLogging

ActiveSyncMailboxPolicy

msExchMobileMailboxPolicyLink

ActiveSyncEnabled

msExchOmaAdminWirelessEnable

DisplayName

displayName (Display Name)

EmailAddresses

proxyAddresses (Proxy Addresses)

HasActiveSyncDevicePartnership

msExchMobileMailboxFlags

ImapEnabled

protocolSettings

ImapMessagesRetrievalMimeFormat

protocolSettings

ImapUseProtocolDefaults

protocolSettings

MAPIBlockOutlookNonCachedMode

protocolSettings

MAPIBlockOutlookRpcHttp

protocolSettings

MAPIBlockOutlookVersions

protocolSettings

MAPIEnabled

protocolSettings

Name

nme; cn

OWAActiveSyncIntegrationEnabled

msExchMailboxFolderSet

OWAAllAddressListsEnabled

msExchMailboxFolderSet

OWACalendarEnabled

msExchMailboxFolderSet

OWAChangePasswordEnabled

msExchMailboxFolderSet

OWAContactsEnabled

msExchMailboxFolderSet

OWAEnabled

protocolSettings

OWAJournalEnabled

msExchMailboxFolderSet

OWAJunkEmailEnabled

msExchMailboxFolderSet

OWANotesEnabled

msExchMailboxFolderSet

OWAPremiumClientEnabled

msExchMailboxFolderSet

OWARemindersAndNotificationsEnabled

msExchMailboxFolderSet

OWASearchFoldersEnabled

msExchMailboxFolderSet

OWASignaturesEnabled

msExchMailboxFolderSet

OWASpellCheckerEnabled

msExchMailboxFolderSet

OWATasksEnabled

msExchMailboxFolderSet

OWAThemeSelectionEnabled

msExchMailboxFolderSet

OWAUMIntegrationEnabled

msExchMailboxFolderSet

OWAUNCAccessOnPrivateComputersEnabled

msExchMailboxFolderSet

OWAUNCAccessOnPublicComputersEnabled

msExchMailboxFolderSet

OWAWSSAccessOnPrivateComputersEnabled

msExchMailboxFolderSet

OWAWSSAccessOnPublicComputersEnabled

msExchMailboxFolderSet

PopEnabled

protocolSettings

PopMessagesRetrievalMimeFormat

protocolSettings

PopUseProtocolDefaults

protocolSettings

PrimarySmtpAddress

mail (E-Mail Address)

ProtocolSettings

protocolSettings

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-UMMailbox cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-UMMailbox properties

Exchange Management Shell property Active Directory attribute

AllowUMCallsFromNonUsers

msExchUMListInDirectorySearch

AnonymousCallersCanLeaveMessages

msExchUMEnabledFlags

AutomaticSpeechRecognitionEnabled

msExchUMEnabledFlags

CallAnsweringAudioCodec

msExchUMAudioCodec

Extensions

proxyAddresses

FaxEnabled

msExchUMEnabledFlags

MissedCallNotificationEnabled

msExchUMServerWritableFlags

OperatorNumber

msExchUMOperatorNumber

SubscriberAccessEnabled

msExchUMEnabledFlags

TUIAccessToAddressBookEnabled

msExchUMEnabledFlags

TUIAccessToCalendarEnabled

msExchUMEnabledFlags

TUIAccessToEmailEnabled

msExchUMEnabledFlags

UMDialPlan

msExchUMRecipientDialPlanLink

UMDtmfMap

msExchUMDtmfMap

UMMailboxPolicy

msExchUMTemplateLink

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-Contact cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-Contact properties

Exchange Management Shell property Active Directory attribute

AssistantName

msExchAssistantName

City

l

Company

company

CountryOrRegion

department; countryCode; co

Department

c

DisplayName

displayName (Display Name)

Fax

facsimileTelephoneNumber

FirstName

givenName

HomePhone

homePhone

Initials

initials

LastName

sn

Manager

manager

MobilePhone

mobile

Name

nme; cn

Notes

info

Office

physicalDeliveryOfficeName

OtherFax

otherFacsimileTelephoneNumber

OtherHomePhone

otherHomePhone

OtherTelephone

otherTelephone

Pager

pager

Phone

telephoneNumber

PhoneticDisplayName

msDS-PhoneticDisplayName

PostalCode

postalCode

PostOfficeBox

postOfficeBox

SimpleDisplayName

displayNamePrintable

StateOrProvince

st

StreetAddress

streetAddress

TelephoneAssistant

telephoneAssistant

Title

title

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-MailContact cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-MailContact properties

Exchange Management Shell property Active Directory attribute

AcceptMessagesOnlyFrom

authOrig

AcceptMessagesOnlyFromDLMembers

dLMemSubmitPerms

Alias

mailNickname (Alias)

CustomAttribute1

extensionAttribute1 (Custom Attribute 1)

CustomAttribute10

extensionAttribute10 (Custom Attribute 10)

CustomAttribute11

extensionAttribute11 (Custom Attribute 11)

CustomAttribute12

extensionAttribute12 (Custom Attribute 12)

CustomAttribute13

extensionAttribute13 (Custom Attribute 13)

CustomAttribute14

extensionAttribute14 (Custom Attribute 14)

CustomAttribute15

extensionAttribute15 (Custom Attribute 15)

CustomAttribute2

extensionAttribute2 (Custom Attribute 2)

CustomAttribute3

extensionAttribute3 (Custom Attribute 3)

CustomAttribute4

extensionAttribute4 (Custom Attribute 4)

CustomAttribute5

extensionAttribute5 (Custom Attribute 5)

CustomAttribute6

extensionAttribute6 (Custom Attribute 6)

CustomAttribute7

extensionAttribute7 (Custom Attribute 7)

CustomAttribute8

extensionAttribute8 (Custom Attribute 8)

CustomAttribute9

extensionAttribute9 (Custom Attribute 9)

DisplayName

displayName (Display Name)

EmailAddresses

proxyAddresses (Proxy Addresses)

EmailAddressPolicyEnabled

msExchPoliciesIncluded; msExchPoliciesExcluded

Extensions

proxyAddresses (Proxy Addresses)

ExternalEmailAddress

targetAddress

GrantSendOnBehalfTo

publicDelegates

HiddenFromAddressListsEnabled

showInAddressBook; msExchHideFromAddressLists

MacAttachmentFormat

internetEncoding

MaxReceiveSize

delivContLength

MaxRecipientPerMessage

msExchRecipLimit

MaxSendSize

submissionContLength

MessageBodyFormat

internetEncoding

MessageFormat

internetEncoding

Name

name; cn

PrimarySmtpAddress

mail (E-Mail Address)

RejectMessagesFrom

unauthOrig

RejectMessagesFromDLMembers

dLMemRejectPerms

RequireSenderAuthenticationEnabled

msExchRequireAuthToSendTo

SecondaryAddress

proxyAddresses (Proxy Addresses)

SecondaryDialPlan

proxyAddresses (Proxy Addresses)

SimpleDisplayName

displayNamePrintable

UMDTMFMap

msExchUMDtmfMap

UseMapiRichTextFormat

mAPIRecipient

UsePreferMessageFormat

internetEncoding

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-Group cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-Group properties

Exchange Management Shell property Active Directory attribute

DisplayName

displayName (Display Name)

ManagedBy

managedBy

Name

name; cn

Notes

info

PhoneticDisplayName

msDS-PhoneticDisplayName

SimpleDisplayName

displayNamePrintable

Universal

groupType

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-DistributionGroup cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-DistributionGroup properties

Exchange Management Shell property Active Directory attribute

AcceptMessagesOnlyFrom

authOrig

AcceptMessagesOnlyFromDLMembers

dLMemSubmitPerms

Alias

mailNickname (Alias)

CustomAttribute1

extensionAttribute1 (Custom Attribute 1)

CustomAttribute10

extensionAttribute10 (Custom Attribute 10)

CustomAttribute11

extensionAttribute11 (Custom Attribute 11)

CustomAttribute12

extensionAttribute12 (Custom Attribute 12)

CustomAttribute13

extensionAttribute13 (Custom Attribute 13)

CustomAttribute14

extensionAttribute14 (Custom Attribute 14)

CustomAttribute15

extensionAttribute15 (Custom Attribute 15)

CustomAttribute2

extensionAttribute2 (Custom Attribute 2)

CustomAttribute3

extensionAttribute3 (Custom Attribute 3)

CustomAttribute4

extensionAttribute4 (Custom Attribute 4)

CustomAttribute5

extensionAttribute5 (Custom Attribute 5)

CustomAttribute6

extensionAttribute6 (Custom Attribute 6)

CustomAttribute7

extensionAttribute7 (Custom Attribute 7)

CustomAttribute8

extensionAttribute8 (Custom Attribute 8)

CustomAttribute9

extensionAttribute9 (Custom Attribute 9)

DisplayName

displayName (Display Name)

EmailAddresses

proxyAddresses (Proxy Addresses)

EmailAddressPolicyEnabled

msExchPoliciesIncluded; msExchPoliciesExcluded

ExpansionServer

msExchExpansionServerName; homeMTA

GrantSendOnBehalfTo

publicDelegates

HiddenFromAddressListsEnabled

showInAddressBook; msExchHideFromAddressLists

MaxReceiveSize

delivContLength

MaxSendSize

submissionContLength

Name

name; cn

PrimarySmtpAddress

mail (E-Mail Address)

RejectMessagesFrom

unauthOrig

RejectMessagesFromDLMembers

dLMemRejectPerms

ReportToManagerEnabled

reportToOwner

ReportToOriginatorEnabled

reportToOriginator

RequireSenderAuthenticationEnabled

msExchRequireAuthToSendTo

SendOofMessageToOriginatorEnabled

oOFReplyToOriginator

SimpleDisplayName

displayNamePrintable

UMDtmfMap

msExchUMDtmfMap

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-DynamicDistributionGroup cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-DynamicDistributionGroup properties

Exchange Management Shell property Active Directory attribute

AcceptMessagesOnlyFrom

authOrig

AcceptMessagesOnlyFromDLMembers

dLMemSubmitPerms

Alias

mailNickname (Alias)

ConditionalCompany

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute1

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute10

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute11

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute12

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute13

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute14

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute15

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute2

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute3

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute4

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute5

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute6

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute7

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute8

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalCustomAttribute9

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalDepartment

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ConditionalStateOrProvince

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

CustomAttribute1

extensionAttribute1 (Custom Attribute 1)

CustomAttribute10

extensionAttribute10 (Custom Attribute 10)

CustomAttribute11

extensionAttribute11 (Custom Attribute 11)

CustomAttribute12

extensionAttribute12 (Custom Attribute 12)

CustomAttribute13

extensionAttribute13 (Custom Attribute 13)

CustomAttribute14

extensionAttribute14 (Custom Attribute 14)

CustomAttribute15

extensionAttribute15 (Custom Attribute 15)

CustomAttribute2

extensionAttribute2 (Custom Attribute 2)

CustomAttribute3

extensionAttribute3 (Custom Attribute 3)

CustomAttribute4

extensionAttribute4 (Custom Attribute 4)

CustomAttribute5

extensionAttribute5 (Custom Attribute 5)

CustomAttribute6

extensionAttribute6 (Custom Attribute 6)

CustomAttribute7

extensionAttribute7 (Custom Attribute 7)

CustomAttribute8

extensionAttribute8 (Custom Attribute 8)

CustomAttribute9

extensionAttribute9 (Custom Attribute 9)

DisplayName

displayName (Display Name)

EmailAddresses

proxyAddresses (Proxy Addresses)

EmailAddressPolicyEnabled

msExchPoliciesIncluded; msExchPoliciesExcluded

ExpansionServer

msExchExpansionServerName; homeMTA

ForceUpgrade

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata; proxyAddresses; msExchRecipientDisplayType

GrantSendOnBehalfTo

publicDelegates

HiddenFromAddressListsEnabled

showInAddressBook; msExchHideFromAddressLists

IncludedRecipients

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

ManagedBy

managedBy

MaxReceiveSize

delivContLength

MaxSendSize

submissionContLength

Name

name; cn

Notes

info

PhoneticDisplayName

msDS-PhoneticDisplayName

PrimarySmtpAddress

mail (E-Mail Address)

RecipientContainer

msExchDynamicDLBaseDN

RecipientFilter

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

RejectMessagesFrom

unauthOrig

RejectMessagesFromDLMembers

dLMemRejectPerms

ReportToManagerEnabled

reportToOwner

ReportToOriginatorEnabled

reportToOriginator

RequireSenderAuthenticationEnabled

msExchRequireAuthToSendTo

SendOofMessageToOriginatorEnabled

oOFReplyToOriginator

SimpleDisplayName

displayNamePrintable

UMDtmfMap

msExchUMDtmfMap

New in Exchange 2007 Service Pack 1 (SP1)

The following table lists the settings that you can specify and the Active Directory attributes to which they correspond when you use the Set-MailPublicFolder cmdlet in the Exchange Management Shell. The attributes listed in this section relate to Microsoft Exchange. Therefore, they represent only a subset of what each task provides.

Set-MailPublicFolder properties

Exchange Management Shell property Active Directory attribute

AcceptMessagesOnlyFrom

authOrig

AcceptMessagesOnlyFromDLMembers

dLMemSubmitPerms

Alias

mailNickname (Alias)

Contacts

pFContacts

CustomAttribute1

extensionAttribute1 (Custom Attribute 1)

CustomAttribute10

extensionAttribute10 (Custom Attribute 10)

CustomAttribute11

extensionAttribute11 (Custom Attribute 11)

CustomAttribute12

extensionAttribute12 (Custom Attribute 12)

CustomAttribute13

extensionAttribute13 (Custom Attribute 13)

CustomAttribute14

extensionAttribute14 (Custom Attribute 14)

CustomAttribute15

extensionAttribute15 (Custom Attribute 15)

CustomAttribute2

extensionAttribute2 (Custom Attribute 2)

CustomAttribute3

extensionAttribute3 (Custom Attribute 3)

CustomAttribute4

extensionAttribute4 (Custom Attribute 4)

CustomAttribute5

extensionAttribute5 (Custom Attribute 5)

CustomAttribute6

extensionAttribute6 (Custom Attribute 6)

CustomAttribute7

extensionAttribute7 (Custom Attribute 7)

CustomAttribute8

extensionAttribute8 (Custom Attribute 8)

CustomAttribute9

extensionAttribute9 (Custom Attribute 9)

DeliverToMailboxAndForward

deliverAndRedirect

DisplayName

displayName (Display Name)

EmailAddresses

proxyAddresses (Proxy Addresses)

EmailAddressPolicyEnabled

msExchPoliciesIncluded; msExchPoliciesExcluded

GrantSendOnBehalfTo

publicDelegates

HiddenFromAddressListsEnabled

showInAddressBook; msExchHideFromAddressLists

MaxReceiveSize

delivContLength

MaxSendSize

submissionContLength

Name

name; cn

PhoneticDisplayName

msDS-PhoneticDisplayName

PrimarySmtpAddress

mail (E-Mail Address)

PublicFolderType

msExchPFTreeType

RejectMessagesFrom

unauthOrig

RejectMessagesFromDLMembers

dLMemRejectPerms

RequireSenderAuthenticationEnabled

msExchRequireAuthToSendTo

SimpleDisplayName

displayNamePrintable

UMDTMFMap

msExchUMDtmfMap

UseMapiRichTextFormat

mAPIRecipient

UsePreferMessageFormat

internetEncoding

The Exchange-related attributes are associated with user, inetOrgPerson, group, and contact class objects. In this section, these attributes are listed according to each tab in the Exchange Management Console.

By granting an Exchange Administrator Read and Write access to the attributes that are associated with the tabs documented in this section, the administrator can perform a particular function, such as manage e-mail addresses.

You can be more specific in granting permissions. For example, you can grant the Exchange Administrator the ability to modify only the attributes that are associated with a particular function on the tab, such as Delivery Restrictions. For more information, see Permission Considerations.

General Tab: Mailbox

The following table lists the attributes that can be viewed on the General tab of mailbox-enabled user objects when you use the Exchange Management Console.

Location Attribute name Description

General tab

displayName (Display Name)

Display name

General tab

mailNickname (Alias)

Alias

General tab

msExchHideFromAddressLists

Hide from Address Book

Custom Attributes button

extensionAttribute1 (Custom Attribute 1)

Custom Attribute

Custom Attributes button

extensionAttribute10 (Custom Attribute 10)

Custom Attribute

Custom Attributes button

extensionAttribute11 (Custom Attribute 11)

Custom Attribute

Custom Attributes button

extensionAttribute12 (Custom Attribute 12)

Custom Attribute

Custom Attributes button

extensionAttribute13 (Custom Attribute 13)

Custom Attribute

Custom Attributes button

extensionAttribute14 (Custom Attribute 14)

Custom Attribute

Custom Attributes button

extensionAttribute15 (Custom Attribute 15)

Custom Attribute

Custom Attributes button

extensionAttribute2 (Custom Attribute 2)

Custom Attribute

Custom Attributes button

extensionAttribute3 (Custom Attribute 3)

Custom Attribute

Custom Attributes button

extensionAttribute4 (Custom Attribute 4)

Custom Attribute

Custom Attributes button

extensionAttribute5 (Custom Attribute 5)

Custom Attribute

Custom Attributes button

extensionAttribute6 (Custom Attribute 6)

Custom Attribute

Custom Attributes button

extensionAttribute7 (Custom Attribute 7)

Custom Attribute

Custom Attributes button

extensionAttribute8 (Custom Attribute 8)

Custom Attribute

Custom Attributes button

extensionAttribute9 (Custom Attribute 9)

Custom Attribute

General Tab: Mail-Enabled User or Mail-Enabled Contact Objects

The following table lists the attributes that can be viewed on the General tab of mail-enabled user or mail-enabled inetOrgPerson or mail-enabled contact objects when you use the Exchange Management Console.

Location Attribute name Description

General tab

displayName (Display Name)

Display name

General tab

mailNickname (Alias)

Alias

General tab

msExchHideFromAddressLists

Hide from Address Book

General tab

mAPIRecipient

Use MAPI Rich Text Format (RTF)

Custom Attributes button

extensionAttribute1 (Custom Attribute 1)

Custom Attribute

Custom Attributes button

extensionAttribute10 (Custom Attribute 10)

Custom Attribute

Custom Attributes button

extensionAttribute11 (Custom Attribute 11)

Custom Attribute

Custom Attributes button

extensionAttribute12 (Custom Attribute 12)

Custom Attribute

Custom Attributes button

extensionAttribute13 (Custom Attribute 13)

Custom Attribute

Custom Attributes button

extensionAttribute14 (Custom Attribute 14)

Custom Attribute

Custom Attributes button

extensionAttribute15 (Custom Attribute 15)

Custom Attribute

Custom Attributes button

extensionAttribute2 (Custom Attribute 2)

Custom Attribute

Custom Attributes button

extensionAttribute3 (Custom Attribute 3)

Custom Attribute

Custom Attributes button

extensionAttribute4 (Custom Attribute 4)

Custom Attribute

Custom Attributes button

extensionAttribute5 (Custom Attribute 5)

Custom Attribute

Custom Attributes button

extensionAttribute6 (Custom Attribute 6)

Custom Attribute

Custom Attributes button

extensionAttribute7 (Custom Attribute 7)

Custom Attribute

Custom Attributes button

extensionAttribute8 (Custom Attribute 8)

Custom Attribute

Custom Attributes button

extensionAttribute9 (Custom Attribute 9)

Custom Attribute

General Tab: Mail-Enabled Group and Dynamic Distribution Group Objects

The following table lists the attributes that can be viewed on the General tab of mail-enabled group and dynamic distribution group objects when you use the Exchange Management Console.

Location Attribute name Description

General tab

displayName (Display Name)

Display name

General tab

mailNickname (Alias)

Alias

Custom Attributes button

extensionAttribute1 (Custom Attribute 1)

Custom Attribute

Custom Attributes button

extensionAttribute10 (Custom Attribute 10)

Custom Attribute

Custom Attributes button

extensionAttribute11 (Custom Attribute 11)

Custom Attribute

Custom Attributes button

extensionAttribute12 (Custom Attribute 12)

Custom Attribute

Custom Attributes button

extensionAttribute13 (Custom Attribute 13)

Custom Attribute

Custom Attributes button

extensionAttribute14 (Custom Attribute 14)

Custom Attribute

Custom Attributes button

extensionAttribute15 (Custom Attribute 15)

Custom Attribute

Custom Attributes button

extensionAttribute2 (Custom Attribute 2)

Custom Attribute

Custom Attributes button

extensionAttribute3 (Custom Attribute 3)

Custom Attribute

Custom Attributes button

extensionAttribute4 (Custom Attribute 4)

Custom Attribute

Custom Attributes button

extensionAttribute5 (Custom Attribute 5)

Custom Attribute

Custom Attributes button

extensionAttribute6 (Custom Attribute 6)

Custom Attribute

Custom Attributes button

extensionAttribute7 (Custom Attribute 7)

Custom Attribute

Custom Attributes button

extensionAttribute8 (Custom Attribute 8)

Custom Attribute

Custom Attributes button

extensionAttribute9 (Custom Attribute 9)

Custom Attribute

User Information Tab: User Objects

The following table lists the attributes that can be viewed on the User Information tab of user or inetOrgPerson objects when you use the Exchange Management Console.

Location Attribute name Description

User Information tab

givenName

First Name

User Information tab

initials

Initials

User Information tab

sn

Last Name

User Information tab

cn

Name

User Information tab

displayNamePrintable

Simple Display Name

User Information tab

info

Notes

Contact Information Tab: Contact Objects

The following table lists the attributes that can be viewed on the User Information tab of contact objects when you use the Exchange Management Console.

Location Attribute name Description

User Information tab

givenName

First Name

User Information tab

initials

Initials

User Information tab

sn

Last Name

User Information tab

cn

Name

User Information tab

displayNamePrintable

Simple Display Name

User Information tab

info

Notes

Address and Phone Tab: User and Contact Objects

The following table lists the attributes that can be viewed on the Address and Phone tab of user, inetOrgPerson, and contact objects when you use the Exchange Management Console.

Location Attribute name Description

Address and Phone tab

streetAddress

Street Address

Address and Phone tab

l

City

Address and Phone tab

st

State/Province

Address and Phone tab

postalCode

ZIP/Postal Code

Address and Phone tab

c; co; countryCode

Country/region

Address and Phone tab

telephoneNumber

Business Phone

Address and Phone tab

pager

Pager

Address and Phone tab

homePhone

Home Phone

Address and Phone tab

facsimileTelephoneNumber

Fax Number

Address and Phone tab

mobile

Mobile Number

Organization Tab: User and Contact Objects

The following table lists the attributes that can be viewed on the Organization tab of user, inetOrgPerson, and contact objects when you use the Exchange Management Console.

Location Attribute name Description

Organization tab

title

Title

Organization tab

company

Company

Organization tab

department

Department

Organization tab

physicalDeliveryOfficeName

Office

Organization tab

manager

Manager

Organization tab

directReports

Direct Reports

Group Information Tab: Group Objects

The following table lists the attributes that can be viewed on the Group Information tab of group and dynamic group objects when you use the Exchange Management Console.

Location Attribute name Description

Group Information tab

cn; name

Name

Group Information tab

managedBy

Managed By

Group Information tab

info

Notes

E-Mail Addresses Tab

The following table lists the attributes that can be viewed on the E-Mail Addresses tab of a user, inetOrgPerson, group, dynamic distribution group, contact, or public folder object when you use the Exchange Management Console.

Location Attribute name Description

E-Mail Addresses tab

proxyAddresses (Proxy Addresses)

All proxy addresses

E-Mail Addresses tab

msExchPoliciesExcluded; msExchPoliciesIncluded

Controlled by recipient policy?

E-Mail Addresses tab

mail (E-Mail Address)

Primary e-mail address

E-Mail Addresses tab

textEncodedORAddress

Primary X.400 address

Mailbox Settings Tab: Mailbox

The following table lists the attributes that can be viewed on the Mailbox Settings tab of a mailbox-enabled user or inetOrgPerson object when you use the Exchange Management Console.

Location Attribute name Description

Messaging Records Management dialog box

msExchMailboxTemplateLink

Records Management Folder Policy

Messaging Records Management dialog box

msExchELCMailboxFlags

Suspension Flag

Messaging Records Management dialog box

msExchELCExpirySuspensionStart

Suspension Start Date/Time

Messaging Records Management dialog box

msExchELCExpirySuspensionEnd

Suspension End Date/Time

Storage Quotas dialog box

mDBOverHardQuotaLimit

Prohibit send/receive

Storage Quotas dialog box

mDBOverQuotaLimit

Prohibit send

Storage Quotas dialog box

mDBStorageQuota

Warning size

Storage Quotas dialog box

mDBUseDefaults

Use store defaults

Storage Quotas dialog box

garbageCollPeriod

Deleted item retention

Storage Quotas dialog box

deletedItemFlags

Deleted item retention

Mail Flow Settings Tab: Mailbox

The following table lists the attributes that can be viewed on the Mail Flow Settings tab of a mailbox-enabled user or inetOrgPerson object when you use the Exchange Management Console.

Location Attribute name Description

Delivery Options dialog box

deliverAndRedirect

Store and forward message

Delivery Options dialog box

publicDelegates

Send on behalf

Delivery Options dialog box

altRecipient

Forwarding address

Delivery Options dialog box

msExchRecipLimit

Maximum recipient limits

Message Size Restrictions dialog box

delivContLength

Prohibit receive size

Message Size Restrictions dialog box

submissionContLength

Prohibit send size

Message Delivery Restrictions dialog box

unauthOrig

Messages rejected from (for mailboxes)

Message Delivery Restrictions dialog box

authOrig

Messages accepted from (for mailboxes)

Message Delivery Restrictions dialog box

dLMemRejectPerms

Messages rejected from (for distribution groups)

Message Delivery Restrictions dialog box

dLMemSubmitPerms

Messages accepted from (for distribution groups)

Message Delivery Restrictions dialog box

msExchRequireAuthToSendTo

Restrict messages from authenticated users only

Mail Flow Settings Tab: Mail-Enabled Objects

The following table lists the attributes that can be viewed on the Mail Flow Settings tab of a mail-enabled user, mail-enabled inetOrgPerson, mail-enabled contact, or distribution group objects when you use the Exchange Management Console.

Location Attribute name Description

Message Size Restrictions dialog box

delivContLength

Prohibit receive

Message Delivery Restrictions dialog box

unauthOrig

Messages rejected from (for mailboxes)

Message Delivery Restrictions dialog box

authOrig

Messages accepted from (for mailboxes)

Message Delivery Restrictions dialog box

dLMemRejectPerms

Messages rejected from (for distribution groups)

Message Delivery Restrictions dialog box

dLMemSubmitPerms

Messages accepted from (for distribution groups)

Message Delivery Restrictions dialog box

msExchRequireAuthToSendTo

(Applies only to Exchange Server 2003)

Restrict messages from authenticated users only

Mail Flow Settings Tab: Public Folders

New in Exchange 2007 SP1

The following table lists the attributes that can be viewed on the Mail Flow Settings tab of a mail-enabled public folder object when you use the Exchange Management Console.

Location Attribute name Description

Delivery Options dialog box

deliverAndRedirect

Store and forward message

Delivery Options dialog box

publicDelegates

Send on behalf

Delivery Options dialog box

altRecipient

Forwarding address

Message Size Restrictions dialog box

delivContLength

Prohibit receive size

Message Size Restrictions dialog box

submissionContLength

Prohibit send size

Message Delivery Restrictions dialog box

unauthOrig

Messages rejected from (for mailboxes)

Message Delivery Restrictions dialog box

authOrig

Messages accepted from (for mailboxes)

Message Delivery Restrictions dialog box

dLMemRejectPerms

Messages rejected from (for distribution groups)

Message Delivery Restrictions dialog box

dLMemSubmitPerms

Messages accepted from (for distribution groups)

Message Delivery Restrictions dialog box

msExchRequireAuthToSendTo

Restrict messages from authenticated users only

Mailbox Features Tab: Mailboxes

The following table lists the attributes that can be viewed on the Mailbox Features tab of a mailbox-enabled user or inetOrgPerson object when you use the Exchange Management Console.

Location Attribute name Description

Mailbox Features tab

protocolSettings

Allows use of Internet Protocols

Mailbox Features tab

protocolSettings

Allows use of MAPI Clients

Mailbox Features tab

msExchOmaAdminWirelessEnable

Allows use of ActiveSync

Exchange ActiveSync properties

msExchMobileMailboxPolicyLink

ActiveSync Device Security Policy

Advanced Tab: Mail-Enabled Group and Dynamic Distribution Group Objects

The following table lists the attributes that can be viewed on the Advanced tab of mail-enabled group and dynamic distribution group objects when you use the Exchange Management Console.

Location Attribute name Description

Advanced tab

msExchHideFromAddressLists

Hide object from GAL

Advanced tab

showInAddressBook

Address Book object for which object is a member

Advanced tab

displayNamePrintable (Simple Display Name)

Legacy display name format for down-level mail systems

Advanced tab

msExchExpansionServerName

homeMTA

Group expansion Server

Advanced tab

oOFReplyToOriginator

Send OOF messages to message originator

Advanced tab

reportToOwner

Send delivery report to owner

Advanced tab

reportToOriginator

Send delivery report to originator

Resource Information Tab: Resource Mailboxes

The following table lists the attributes that can be viewed on the Resource Information tab of equipment or room mailbox-enabled user or inetOrgPerson objects when you use the Exchange Management Console.

Location Attribute name Description

Resource Information tab

msExchResourceCapacity

Resource Capacity

Resource Information tab

msExchResourceSearchProperties

Resource Custom Properties

Filter and Conditions Tabs: Dynamic Distribution Group Objects

The following table lists the attributes that can be viewed on the Filter and Conditions tabs of a dynamic distribution group object when you use the Exchange Management Console.

Location Attribute name Description

Filter tab; Conditions tab

msExchDynamicDLFilter; msExchQueryFilter; msExchQueryFilterMetadata

LDAP filter

Filter tab

msExchDynamicDLBaseDN

LDAP filter base distinguished name

Exchange General Tab: Public Folders

New in Exchange 2007 SP1

The following table lists the attributes that can be viewed on the Exchange General tab of mail-enabled public folder objects when you use the Exchange Management Console.

Location Attribute name Description

Exchange General tab

displayName (Display Name)

Display name

Exchange General tab

mailNickname (Alias)

Alias

Exchange General tab

msExchHideFromAddressLists

Hide from Address Book

Exchange General tab

displayNamePrintable (Simple Display Name)

Legacy display name format for down-level mail systems

Custom Attributes button

extensionAttribute1 (Custom Attribute 1)

Custom Attribute

Custom Attributes button

extensionAttribute10 (Custom Attribute 10)

Custom Attribute

Custom Attributes button

extensionAttribute11 (Custom Attribute 11)

Custom Attribute

Custom Attributes button

extensionAttribute12 (Custom Attribute 12)

Custom Attribute

Custom Attributes button

extensionAttribute13 (Custom Attribute 13)

Custom Attribute

Custom Attributes button

extensionAttribute14 (Custom Attribute 14)

Custom Attribute

Custom Attributes button

extensionAttribute15 (Custom Attribute 15)

Custom Attribute

Custom Attributes button

extensionAttribute2 (Custom Attribute 2)

Custom Attribute

Custom Attributes button

extensionAttribute3 (Custom Attribute 3)

Custom Attribute

Custom Attributes button

extensionAttribute4 (Custom Attribute 4)

Custom Attribute

Custom Attributes button

extensionAttribute5 (Custom Attribute 5)

Custom Attribute

Custom Attributes button

extensionAttribute6 (Custom Attribute 6)

Custom Attribute

Custom Attributes button

extensionAttribute7 (Custom Attribute 7)

Custom Attribute

Custom Attributes button

extensionAttribute8 (Custom Attribute 8)

Custom Attribute

Custom Attributes button

extensionAttribute9 (Custom Attribute 9)

Custom Attribute

Each organization defines what it expects from an Exchange administrator. However, Exchange administrators must perform certain common tasks with regard to user and inetOrgPerson objects, such as the following:

  • Mailbox-enabling user or inetOrgPerson objects

  • Moving mailboxes

  • Mailbox-disabling user or inetOrgPerson objects

  • Changing properties on mailbox-enabled user or inetOrgPerson objects

  • Mail-enabling user or inetOrgPerson objects

  • Mail-disabling user or inetOrgPerson objects

  • Changing properties on mail-enabled user or inetOrgPerson objects

Administrators can perform these tasks by using the Exchange Management Console or the Exchange Management Shell.

Note

This section does not discuss the rights that are needed to run the New-Mailbox, New-MailUser, Remove-Mailbox, and Remove-MailUser cmdlets. In addition to the rights listed in the "Mail-Enabling User Objects" and "Mail-Disabling User Objects" sections here, an administrator must also be able to create and delete user or inetOrgPerson objects. For more information about what rights are required to create user or inetOrgPerson objects, see Best Practices for Delegating Active Directory Administration.

Mailbox-Enabling User Objects

To run the Enable-Mailbox cmdlet, the account you use must be delegated the Exchange View-Only Administrator role.

The Exchange administrator must have Read and Write access to the following user or inetOrgPerson object attributes.

authOrig

dlMemSubmitPerms

homeMDB

homeMTA

legacyExchangeDN

mail

mailNickname

mDBUseDefaults

msExchHomeServerName

msExchMailboxGuid

msExchMailboxSecurityDescriptor

msExchMailboxTemplateLink

msExchMasterAccountSid

msExchMobileMailboxPolicyLink

msExchPoliciesExcluded

msExchPoliciesIncluded

msExchRecipientDisplayType

msExchRecipientTypeDetails

msExchResourceDisplay

msExchResourceMetaData

msExchResourceSearchProperties

msExchUserAccountControl

msExchVersion

protocolSettings

proxyAddresses

publicDelegates

securityProtocol

showInAddressBook

textEncodedORAddress

unauthOrig

 

 

The administrator requires the Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to apply the appropriate address information to the object.

The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

In addition, the administrator must be able to read and modify the security permissions on the user or inetOrgPerson objects so that the task can apply the appropriate permissions for resource, shared, and linked mailboxes.

You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions. For example, to grant the ability to mailbox-enable existing user objects, the following steps must be performed:

  1. Run the following command to grant the OU1AdminGroup security group the ability to manage Exchange-related attributes on the user objects in the organizational unit (OU).

    Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties authOrig,dlMemRejectPerms,dlMemSubmitPerms,homeMDB,homeMTA,legacyExchangeDN,mail,mailNickname,mDBUseDefaults,msExchHomeServerName,msExchMailboxGuid,msExchMailboxSecurityDescriptor,msExchMailboxTemplateLink,msExchMasterAccountSid,msExchMobileMailboxPolicyLink,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRecipientTypeDetails,msExchResourceDisplay,msExchResourceMetaData,msExchResourceSearchProperties,msExchUserAccountControl,msExchVersion,protocolSettings,proxyAddresses,publicDelegates,securityProtocol,showInAddressBook,textEncodedORAddress,unauthOrig -InheritedObjectType User -InheritanceType Descendents
    
  2. Run the following command to grant the Admin account the ability to change the discretionary access control list of the user objects in the OU.

    Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights WriteDACL,ReadControl -InheritedObjectType User -InheritanceType Descendents 
    
  3. Run the following command to grant the Admin account the extended right to access the Recipient Update Service.

    Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType Descendents
    
  4. Run the following commands to grant the Admin account the ability to update the address lists and e-mail address policies.

    Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
    Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
    

Moving Mailboxes

To run the Move-Mailbox cmdlet between servers that are running Exchange Server in the organization, the Exchange administrator must have the appropriate rights in the configuration partition. For more information about how to delegate the role, see How to Delegate Server Administration.

  • You must be a local administrator and have the following role on the source Exchange server:

    • If the source Exchange server is running Exchange 2007, the account you use must be delegated the Exchange Server Administrator role.

    • If the source Exchange server is running Microsoft Exchange Server 2003, the account you use must be delegated the Exchange Administrator role on the administrative group where the Exchange 2003 server resides.

  • You must be a local administrator and have the following permission on the target Exchange server:

    • If the target Exchange server is running Exchange 2007, the account you use must be delegated the Exchange Server Administrator role.

    • If the target Exchange server is running Exchange 2003, the account you use must be delegated the Exchange Administrator role on the administrative group where the Exchange 2003 server resides.

The administrator must be a member of the Administrators group on the local workstation or server to create a dynamic MAPI profile.

In addition, the Exchange administrator must have Read and Write access to the following user or inetOrgPerson object attributes:

  • homeMDB

  • homeMTA

  • msExchHomeServerName

  • targetAddress

  • protocolSettings

  • proxyAddresses

The following attributes may be modified or removed when you move a mailbox between a server that runs Exchange 2007 and a server that runs a legacy version of Exchange Server (Exchange 2000 Server or Exchange Server 2003).

mDBOverHardQuotaLimit

mDBOverQuotaLimit

mDBStorageQuota

msExchELCExpirySuspensionEnd

msExchELCExpirySuspensionStart

msExchELCMailboxFlags

msExchMailboxTemplateLink

msExchMDBRulesQuota

msExchMessageHygieneFlags

msExchMessageHygieneSCLDeleteThreshold

msExchMessageHygieneSCLJunkThreshold

msExchMessageHygieneSCLQuarantineThreshold

msExchMessageHygieneSCLRejectThreshold

msExchMobileAllowedDeviceIDs

msExchMobileDebugLogging

msExchMobileMailboxFlags

msExchMobileMailboxPolicyLink

msExchOmaAdminExtendedSettings

msExchOmaAdminWirelessEnable

msExchRecipientDisplayType

msExchRecipientTypeDetails

msExchResourceCapacity

msExchResourceDisplay

msExchResourceMetaData

msExchResourceSearchProperties

msExchUMAudioCodec

msExchUMEnabledFlags

msExchUMOperatorNumber

msExchUMPinChecksum

 msExchUMRecipientDialPlanLink

 msExchUMServerWritableFlags

 msExchUMSpokenName

msExchUMTemplateLink

msExchUserCulture

msExchVersion

 

You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain partition. For example, to update the attributes necessary to move the mailboxes, run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.

Add-ADPermission "OU=OUContainer1,DC=company,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties homeMDB,homeMTA,mDBOverHardQuotaLimit,mDBOverQuotaLimit,mDBStorageQuota,msExchELCExpirySuspensionEnd,msExchELCExpirySuspensionStart,msExchELCMailboxFlags,msExchHomeServerName,msExchMailboxTemplateLink,msExchMDBRulesQuota,msExchMessageHygieneFlags,msExchMessageHygieneSCLDeleteThreshold,msExchMessageHygieneSCLJunkThreshold,msExchMessageHygieneSCLQuarantineThreshold,msExchMessageHygieneSCLRejectThreshold,msExchMobileAllowedDeviceIDs,msExchMobileDebugLogging,msExchMobileMailboxFlags,msExchMobileMailboxPolicyLink,msExchOmaAdminExtendedSettings,msExchOmaAdminWirelessEnable,msExchRecipientDisplayType,msExchRecipientTypeDetails,msExchResourceCapacity,msExchResourceDisplay,msExchResourceMetaData,msExchResourceSearchProperties,msExchUMAudioCodec,msExchUMEnabledFlags,msExchUMOperatorNumber,msExchUMPinChecksum,msExchUMRecipientDialPlanLink,msExchUMServerWritableFlags,msExchUMSpokenName,msExchUMTemplateLink,msExchUserCulture,msExchVersion,protocolSettings,proxyAddresses,targetAddress -InheritedObjectType User -InheritanceType Descendents

Mailbox-Disabling User Objects

To run the Disable-Mailbox cmdlet against a user or inetOrgPerson object, the Exchange administrator must have the appropriate rights in the configuration partition. For more information about how to delegate the role, see How to Delegate Server Administration.

  • You must be a local administrator and have the following role on the Exchange server where the mailbox resides:

    • If the Exchange server is running Exchange 2007, the account does not require any role; you only need to have the permissions defined below. However, when executing Disable-Mailbox, you will receive a warning, "Failed to commit the change on object "<Mailbox GUID>" because access is denied". This warning means that an attempt was made to immediately disable the mailbox but the action failed for some reason. Therefore, you have to wait until online maintenance does this in batch for the store in which the mailbox resides.

    • If the Exchange server is running Exchange 2003, the account you use must be delegated the Exchange Administrator role on the administrative group where the Exchange 2003 server resides.

The Exchange administrator must also have the Administer Information Store permission on the Exchange organization container. In addition, the Exchange administrator must have Read and Write access to the following user or inetOrgPerson object attributes.

altRecipient

authOrig

deletedItemFlags

delivContLength

deliverAndRedirect

displayNamePrintable

dlMemRejectPerms

dlMemSubmitPerms

extensionAttribute1

extensionAttribute10

extensionAttribute11

extensionAttribute12

extensionAttribute13

extensionAttribute14

extensionAttribute15

extensionAttribute2

extensionAttribute3

extensionAttribute4

extensionAttribute5

extensionAttribute6

extensionAttribute7

extensionAttribute8

extensionAttribute9

garbageCollPeriod

homeMDB

homeMTA

legacyExchangeDN

mailNickname

mDBOverHardQuotaLimit

mDBOverQuotaLimit

mDBStorageQuota

mDBUseDefaults

msExchELCExpirySuspensionEnd

msExchELCExpirySuspensionStart

msExchELCMailboxFlags

msExchExternalOOFOptions

msExchHideFromAddressLists

msExchHomeServerName

msExchMailboxGuid

msExchMailboxSecurityDescriptor

msExchMailboxTemplateLink

msExchMasterAccountSid

msExchMDBRulesQuota

msExchPoliciesExcluded

msExchPoliciesIncluded

msExchRecipientDisplayType

msExchRecipientTypeDetails

msExchRecipLimit

msExchRequireAuthToSendTo

msExchResourceCapacity

msExchResourceMetaData

msExchResourceSearchProperties

msExchResourceDisplay

msExchUMAudioCodec

msExchUMEnabledFlags

msExchUMOperatorNumber

msExchUMPinChecksum

msExchUMRecipientDialPlanLink

msExchUMTemplateLink

msExchUseOAB

msExchUserAccountControl

msExchUserCulture

msExchVersion

protocolSettings

proxyAddresses

publicDelegates

securityProtocol

showInAddressBook

submissionContLength

textEncodedORAddress

unauthOrig

 

You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.

For example, to disable mailboxes, you must follow these steps:

  1. Run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.

    Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties altRecipient,authOrig,deletedItemFlags,delivContLength,deliverAndRedirect,displayNamePrintable,dlMemRejectPerms,dlMemSubmitPerms,extensionAttribute1,extensionAttribute10,extensionAttribute11,extensionAttribute12,extensionAttribute13,extensionAttribute14,extensionAttribute15,extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5,extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9,garbageCollPeriod,homeMDB,homeMTA,legacyExchangeDN,mailNickName,mDBOverHardQuotaLimit,mDBOverQuotaLimit,mDBStorageQuota,mDBUseDefaults,msExchELCExpirySuspensionEnd,msExchELCExpirySuspensionStart,msExchELCMailboxFlags,msExchExternalOOFOptions,msExchHideFromAddressLists,msExchHomeServerName,msExchMailboxGuid,msExchMailboxSecurityDescriptor,msExchMailboxTemplateLink,msExchMasterAccountSid,msExchMDBRulesQuota,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRecipientTypeDetails,msExchRecipLimit,msExchRequireAuthToSendTo,msExchResourceCapacity,msExchResourceMetaData,msExchResourceSearchProperties,msExchResourceDisplay,msExchUMAudioCodec,msExchUMEnabledFlags,msExchUMOperatorNumber,msExchUMPinChecksum,msExchUMRecipientDialPlanLink,msExchUMTemplateLink,msExchUseOAB,msExchUserAccountControl,msExchUserCulture,msExchVersion,protocolSettings,proxyAddresses,publicDelegates,securityProtocol,showInAddressBook,submissionContLength,textEncodedORAddress,unauthOrig -InheritedObjectType User -InheritanceType Descendents
    
  2. To avoid receiving the store warning mentioned above, run the following command to grant the Admin account the Administer Information Store extended right.

    Add-ADPermission -Identity "CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -ExtendedRights ms-Exch-Store-Admin -InheritanceType All
    

Changing Mailbox-Enabled User Object Properties

To run the Set-Mailbox, Set-UMMailbox or Set-CASMailbox cmdlet against a user or inetOrgPerson object:

  • The account you use must be delegated the Exchange View-Only Administrator role.

  • The Exchange administrator must have Read and Write access to the desired user or inetOrgPerson object attributes. For more information about how the Set-Mailbox, Set-UMMailbox, or Set-CASMailbox task properties map to the Active Directory attributes, see the "Mailbox-Enabled User-Related Properties" section earlier in this article.

In addition, because the Set-Mailbox, Set-UMMailbox, or Set-CASMailbox cmdlets are used to make sure that the object is assigned to the appropriate e-mail address policy, the Exchange Administrator also requires the following permissions:

  • The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

  • Read and Write access to the following attributes:

    • proxyAddresses

    • msExchPoliciesIncluded

    • msExchPoliciesExcluded

    • mail

    • textEncodedORAddress

Mail-Enabling User Objects

To run the Enable-MailUser cmdlet against a user or inetOrgPerson object, the account you use must be delegated the Exchange View-Only Administrator role.

The Exchange administrator must have Read and Write access to the following user or inetOrgPerson object attributes.

authOrig

dlMemRejectPerms

dLMemSubmitPerms

internetEncoding

legacyExchangeDN

mail

mailNickname

msExchPoliciesExcluded

msExchPoliciesIncluded

msExchRecipientDisplayType

msExchVersion

protocolSettings

proxyAddresses

publicDelegates

showInAddressBook

targetAddress

textEncodedORAddress

unauthOrig

 

 

In addition, the administrator requires the Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.

For example, to grant the ability to mail-enable existing user objects, the following steps must be performed.

  1. Run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU:

    Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties textEncodedORAddress,mail,msExchRecipientDisplayType,msExchVersion,authOrig,dLMemSubmitPerms,showInAddressBook,mailNickName,proxyAddresses,targetAddress,publicDelegates,internetEncoding,legacyExchangeDN,msExchPoliciesIncluded,msExchPoliciesExcluded,protocolSettings,unAuthOrig,dlMemRejectPerms -InheritedObjectType User -InheritanceType Descendents
    
  2. Run the following command to grant the Admin account the extended right to access the Recipient Update Service.

    Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType Descendents
    
  3. Run the following commands to grant the Admin account the ability to update the address lists and e-mail address policies.

    Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
    Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
    

Mail-Disabling User Objects

To run the Disable-MailUser cmdlet against a user or inetOrgPerson object, the account you use must be delegated the Exchange View-Only Administrator role.

The Exchange administrator must have Read and Write access to the following user or inetOrgPerson object attributes.

authOrig

delivContLength

displayNamePrintable

dlMemRejectPerms

dlMemSubmitPerms

extensionAttribute1

extensionAttribute2

extensionAttribute3

extensionAttribute4

extensionAttribute5

extensionAttribute6

extensionAttribute7

extensionAttribute8

extensionAttribute9

extensionAttribute10

extensionAttribute11

extensionAttribute12

extensionAttribute13

extensionAttribute14

extensionAttribute15

internetEncoding

legacyExchangeDN

mailNickname

mAPIRecipient

msExchHideFromAddressLists

msExchPoliciesExcluded

msExchPoliciesIncluded

msExchRecipientDisplayType

msExchRecipLimit

msExchRequireAuthToSendTo

msExchVersion

protocolSettings

proxyAddresses

publicDelegates

showInAddressBook

submissionContLength

targetAddress

textEncodedORAddress

unauthOrig

 

You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.

For example, to grant the ability to mail-disable user objects, run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.

Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties authOrig,delivContLength,displayNamePrintable,dlMemRejectPerms,dlMemSubmitPerms,extensionAttribute1,extensionAttribute10,extensionAttribute11,extensionAttribute12,extensionAttribute13,extensionAttribute14,extensionAttribute15,extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5,extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9,internetEncoding,legacyExchangeDN,mailNickname,mAPIRecipient,msExchHideFromAddressLists,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRecipLimit,msExchRequireAuthToSendTo,msExchVersion,protocolSettings,proxyAddresses,publicDelegates,showInAddressBook,submissionContLength,targetAddress,textEncodedORAddress,unauthOrig -InheritedObjectType User -InheritanceType Descendents

Changing Mail-Enabled User Object Properties

To run the Set-MailUser cmdlet against a user or inetOrgPerson object, the following permissions are required:

  • The account you use must be delegated the Exchange View-Only Administrator role.

  • The Exchange administrator must have Read and Write access to the desired user or inetOrgPerson object attributes. For more information about how the Set-MailUser properties map to the Active Directory attributes, see the "Mailbox-Enabled User-Related Properties" section earlier in this topic.

In addition, because you must use the Set-MailUser cmdlet to make sure that the object is assigned to the appropriate E-mail Address Policy, the Exchange Administrator also requires the following:

  • The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

  • Read and Write access to the following attributes:

    • proxyAddresses

    • msExchPoliciesIncluded

    • msExchPoliciesExcluded

    • mail

    • textEncodedORAddress

Each organization defines what it expects from an Exchange administrator. However, Exchange administrators have to perform certain common tasks with regard to contact objects, such as the following:

  • Mail-enabling contact objects

  • Mail-disabling contact objects

  • Changing properties on mail-enabled contact objects

Administrators can perform these tasks by using the Exchange Management Console or the Exchange Management Shell.

Note

This section does not discuss the rights that are needed to run the New-MailContact and Remove-MailContact cmdlets. In addition to the rights listed in the Mail-Enabling and Mail-Disabling sections, an administrator must also be able to create and delete contact objects. For more information about what rights are required to create contact objects, see Best Practices for Delegating Active Directory Administration.

Mail-Enabling Contact Objects

To run the Enable-MailContact cmdlet on a contact object, the account you use must be delegated the Exchange View-Only Administrator role.

The Exchange administrator must have Read and Write access to the following contact object attributes:

authOrig

displayName

dlMemRejectPerms

dLMemSubmitPerms

internetEncoding

legacyExchangeDN

mail

mailNickname

msExchPoliciesExcluded

msExchPoliciesIncluded

msExchRecipientDisplayType

msExchVersion

protocolSettings

proxyAddresses

publicDelegates

showInAddressBook

targetAddress

textEncodedORAddress

unauthOrig

 

In addition, the administrator requires the Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.

For example, to grant the ability to mail-enable existing contact objects, the following steps must be performed:

  1. Run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.

    Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties displayName,textEncodedORAddress,mail,msExchRecipientDisplayType,msExchVersion,authOrig,dLMemSubmitPerms,showInAddressBook,mailNickName,proxyAddresses,targetAddress,publicDelegates,internetEncoding,legacyExchangeDN,msExchPoliciesIncluded,msExchPoliciesExcluded,protocolSettings,unAuthOrig,dlMemRejectPerms -InheritedObjectType Contact -InheritanceType Descendents
    
  2. Run the following command to grant the Admin account the extended right to access the Recipient Update Service.

    Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType Descendents
    
  3. Run the following commands to grant the Admin account the ability to update the address lists and e-mail address policies.

    Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
    Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
    

Mail-Disabling Contact Objects

To run the Disable-MailContact cmdlet against a contact object, the account you use must be delegated the Exchange View-Only Administrator role.

The Exchange administrator must have Read and Write access to the following contact object attributes:

authOrig

delivContLength

displayNamePrintable

dlMemRejectPerms

dlMemSubmitPerms

extensionAttribute1

extensionAttribute2

extensionAttribute3

extensionAttribute4

extensionAttribute5

extensionAttribute6

extensionAttribute7

extensionAttribute8

extensionAttribute9

extensionAttribute10

extensionAttribute11

extensionAttribute12

extensionAttribute13

extensionAttribute14

extensionAttribute15

internetEncoding

legacyExchangeDN

mailNickname

mAPIRecipient

msExchHideFromAddressLists

msExchPoliciesExcluded

msExchPoliciesIncluded

msExchRecipientDisplayType

msExchRecipLimit

msExchRequireAuthToSendTo

msExchVersion

protocolSettings

proxyAddresses

publicDelegates

showInAddressBook

submissionContLength

targetAddress

textEncodedORAddress

unauthOrig

 

You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions. For example, to grant the ability to mail-disable contact objects, run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.

Add-ADPermission "OU=OUContainer1,DC=company,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties authOrig,delivContLength,displayNamePrintable,dlMemRejectPerms,dlMemSubmitPerms,extensionAttribute1,extensionAttribute10,extensionAttribute11,extensionAttribute12,extensionAttribute13,extensionAttribute14,extensionAttribute15,extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5,extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9,internetEncoding,legacyExchangeDN,mailNickname,mAPIRecipient,msExchHideFromAddressLists,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRecipLimit,msExchRequireAuthToSendTo,msExchVersion,protocolSettings,proxyAddresses,publicDelegates,showInAddressBook,submissionContLength,targetAddress,textEncodedORAddress,unauthOrig -InheritedObjectType Contact -InheritanceType Descendents

Changing Mail-Enabled Contact Object Properties

To run the Set-MailContact cmdlet against a contact object, the following permissions must be granted:

  • The account you use must be delegated the Exchange View-Only Administrator role.

  • The Exchange administrator must have Read and Write access to the desired contact object attributes. For more information about how the Set-MailContact cmdlet properties map to the Active Directory attributes, see the "Mailbox-Enabled Contact-Related Properties" section earlier in this topic.

In addition, because the Set-MailContact task is used to make sure that the object is assigned to the appropriate e-mail address policy, the Exchange Administrator also requires the following permissions:

  • The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

  • Read and Write access to the following attributes:

    • proxyAddresses

    • msExchPoliciesIncluded

    • msExchPoliciesExcluded

    • mail

    • textEncodedORAddress

Each organization defines what it expects from an Exchange administrator. However, Exchange administrators have to perform certain common tasks with regard to group objects, such as the following:

  • Mail-enabling group objects

  • Mail-disabling group objects

  • Changing properties on mail-enabled group objects

Administrators can perform these tasks by using the Exchange Management Console or the Exchange Management Shell.

Note

This section does not discuss the rights that are needed to run the New-DistributionGroup and Remove-DistributionGroup cmdlets. In addition to the rights listed in the "Mail-Enabling Group Objects" and "Mail-Disabling Group Objects" sections here, an administrator must also be able to create and delete group objects. For more information about what rights are required to create group objects, see Best Practices for Delegating Active Directory Administration.

Mail-Enabling Group Objects

To run the Enable-DistributionGroup cmdlet against a group object, the account you use must be delegated the Exchange View-Only Administrator role.

The Exchange administrator must have Read and Write access to the following group object attributes.

authOrig

displayName

dlMemRejectPerms

dLMemSubmitPerms

legacyExchangeDN

mail

mailNickname

msExchPoliciesExcluded

msExchPoliciesIncluded

msExchRecipientDisplayType

msExchRequireAuthToSendTo

msExchVersion

proxyAddresses

publicDelegates

reportToOriginator

showInAddressBook

textEncodedORAddress

unauthOrig

 

 

In addition, the administrator requires the Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to update the object with the appropriate address information. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet. The administrator must also have write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.

For example, to grant the ability to mail-enable group objects, you must follow these steps:

  1. Run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.

    Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties authOrig,displayName,dlMemRejectPerms,dlMemSubmitPerms,legacyExchangeDN,mail,mailNickName,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRequireAuthToSendTo,msExchVersion,proxyAddresses,publicDelegates,reportToOriginator,showInAddressBook,textEncodedORAddress,unauthOrig -InheritedObjectType Group -InheritanceType Descendents
    
  2. Run the following command to grant the Admin account the extended right to access the Recipient Update Service.

    Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType Descendents
    
  3. Run the following commands to grant the examined account the ability to update the address lists and e-mail address policies.

    Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
    Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
    

Mail-Disabling Group Objects

To run the Disable-DistributionGroup cmdlet against a group object, the account you use must be delegated the Exchange View-Only Administrator role.

The Exchange administrator must have Read and Write access to the following group attributes:

authOrig

delivContLength

displayNamePrintable

dlMemRejectPerms

dlMemSubmitPerms

extensionAttribute1

extensionAttribute2

extensionAttribute3

extensionAttribute4

extensionAttribute5

extensionAttribute6

extensionAttribute7

extensionAttribute8

extensionAttribute9

extensionAttribute10

extensionAttribute11

extensionAttribute12

extensionAttribute13

extensionAttribute14

extensionAttribute15

homeMTA

internetEncoding

legacyExchangeDN

mailNickname

mAPIRecipient

msExchHideFromAddressLists

msExchExpansionServerName

msExchPoliciesExcluded

msExchPoliciesIncluded

msExchRecipientDisplayType

msExchRecipLimit

msExchRequireAuthToSendTo

msExchVersion

oOFReplyToOriginator

protocolSettings

proxyAddresses

publicDelegates

reportToOriginator

reportToOwner

showInAddressBook

submissionContLength

targetAddress

textEncodedORAddress

unauthOrig

You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions. For example, to grant the ability mail-disable group objects, run the following command to grant the Admin account the ability to manage Exchange-related attributes on the user objects in the OU.

Add-ADPermission "OU=OUContainer1,DC=Contoso,DC=com" -User company\Admin -AccessRights ReadProperty,WriteProperty -Properties authOrig,delivContLength,displayNamePrintable,dlMemRejectPerms,dlMemSubmitPerms,extensionAttribute1,extensionAttribute10,extensionAttribute11,extensionAttribute12,extensionAttribute13,extensionAttribute14,extensionAttribute15,extensionAttribute2,extensionAttribute3,extensionAttribute4,extensionAttribute5,extensionAttribute6,extensionAttribute7,extensionAttribute8,extensionAttribute9,homeMTA,internetEncoding,legacyExchangeDN,mailNickname,mAPIRecipient,msExchHideFromAddressLists,msExchExpansionServerName,msExchPoliciesExcluded,msExchPoliciesIncluded,msExchRecipientDisplayType,msExchRecipLimit,msExchRequireAuthToSendTo,msExchVersion,oOFReplyToOriginator,protocolSettings,proxyAddresses,publicDelegates,reportToOriginator,reportToOwner,showInAddressBook,submissionContLength,targetAddress,textEncodedORAddress,unauthOrig -InheritedObjectType Group -InheritanceType Descendents

Changing Mail-Enabled Group Object Properties

To run the Set-DistributionGroup cmdlet against a group object, the following permissions must be granted:

  • The account you use must be delegated the Exchange View-Only Administrator role.

  • The Exchange administrator must have Read and Write access to the desired group object attributes. For more information about how the Set-DistributionGroup properties map to the Active Directory Attributes, see the "Distribution Group-Related Properties" section earlier in this topic.

In addition, because you can use the Set-DistributionGroup cmdlet to make sure that the object is assigned to the appropriate e-mail address policy, the Exchange Administrator also requires the following:

  • The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

  • Read and Write access to the following attributes:

    • proxyAddresses

    • msExchPoliciesIncluded

    • msExchPoliciesExcluded

    • mail

    • textEncodedORAddress

Each organization defines what it expects from an Exchange administrator. However, Exchange administrators have to perform certain common tasks with regard to dynamic distribution group objects, such as the following:

  • Mail-enabling group objects

  • Mail-disabling group objects

  • Changing properties on mail-enabled group objects

Administrators can perform these tasks by using the Exchange Management Console or the Exchange Management Shell.

Creating and Deleting Dynamic Distribution Group Objects

To run the New-DynamicDistributionGroup and Remove-DynamicDistributionGroup cmdlets against a dynamic distribution group object, the account you use must be delegated the Exchange View-Only Administrator role.

In addition, the administrator must have the following:

  • Create msExchDynamicDistributionList objects permission

  • Delete msExchDynamicDistributionList objects user right

  • Full Control over msExchDynamicDistributionList objects

  • The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

You can use the Add-ADPermission cmdlet to grant the necessary permissions in the domain and configuration partitions.

For example, to grant the ability to create/delete dynamic distribution group objects, the following steps must be performed:

  1. Run the following command to grant the Admin account the appropriate permission to manage dynamic distribution groups in the OU.

    Add-ADPermission "ou=Container1,dc=Contoso,dc=com" -User company\Admin -AccessRights GenericAll -InheritanceType Descendents -InheritedObjectType msExchDynamicDistributionList
    

    To run the preceding command in Exchange 2007 SP1:

    Identity "ou=Container1,dc=Contoso,dc=com" -User "Contoso\OU1AdminGroup" -AccessRights GenericAll -ChildObjectTypes msExchDynamicDistributionList
    
  2. Run the following command to grant the Admin account the appropriate permission to create and delete dynamic distribution groups in the OU.

    Add-ADPermission "ou=Container1,dc=Contoso,dc=com" -User company\Admin -AccessRights CreateChild, DeleteChild -ChildObjectTypes msExchDynamicDistributionList
    
  3. Run the following command to grant the Admin account the extended right to access the Recipient Update Service.

    Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\OU1AdminGroup " -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType Descendents
    
  4. Run the following commands to grant the Admin account the ability to update the address lists and e-mail address policies.

    Add-ADPermission -Identity "CN=Address Lists Container,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
    Add-ADPermission -Identity "CN=Recipient Policies,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com" -User "company\Admin" -AccessRights WriteProperty -Properties msExchLastAppliedRecipientFilter, msExchRecipientFilterFlags
    

Changing Dynamic Distribution Group Object Properties

To run the Set-DynamicDistributionGroup cmdlet against a dynamic distribution group object, the following permissions must be granted:

  • The account you use must be delegated the Exchange View-Only Administrator role.

  • The Exchange administrator must have Read and Write access to the desired group object attributes. For more information about how the Set-DynamicDistributionGroup properties map to the Active Directory attributes, see the "Dynamic Distribution Group-Related Properties" section earlier in this topic.

In addition, because the Set-DynamicDistributionGroup cmdlet is used to make sure that the object is assigned to the appropriate e-mail address policy, the Exchange Administrator also requires the following permissions:

  • The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

  • Read and Write access to the following attributes:

    • proxyAddresses

    • msExchPoliciesIncluded

    • msExchPoliciesExcluded

    • mail

    • textEncodedORAddress

New in Exchange 2007 SP1

Each organization defines what it expects from an Exchange administrator. However, Exchange administrators have to perform certain common tasks with regard to public folder objects, such as the following:

  • Mail-enabling public folder objects

  • Mail-disabling public folder objects

  • Changing properties on mail-enabled public objects

Mail-Enabling Public Folder Objects

To run the Enable-MailPublicFolder cmdlet against a public folder object, the account you use must be delegated the Exchange Public Folder Administrator role.

Mail-Disabling Public Folder Objects

To run the Disable-MailPublicFolder cmdlet against a public folder object, the account you use must be delegated the Exchange Public Folder Administrator role.

Changing Mail-Enabled Public Folder Object Properties

To run the Set-MailPublicFolder cmdlet against a public folder object, the following permissions must be granted:

  • The account you use must be delegated the Exchange Public Folder Administrator role.

  • The Exchange administrator must have Read and Write access to the desired group object attributes. For more information about how the Set-MailPublicFolder properties map to the Active Directory Attributes, see the "Public Folder-Related Properties" section earlier in this topic.

In addition, because you can use the Set-MailPublicFolder cmdlet to make sure that the object is assigned to the appropriate e-mail address policy, the Exchange Administrator also requires the following:

  • The Access Recipient Update Service extended right on the Exchange 2007 administrative group so that the task can use the Recipient Update Service to stamp the object with the appropriate address information.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Address Lists container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-AddressList cmdlet.

  • Write access to the msExchLastAppliedRecipientFilter and msExchRecipientFilterFlags attributes on the Recipient Policies container in the Exchange organization. These permissions are required so the recipient administrator can run the Update-EmailAddressPolicy cmdlet.

  • Read and Write access to the following attributes:

    • proxyAddresses

    • msExchPoliciesIncluded

    • msExchPoliciesExcluded

    • mail

    • textEncodedORAddress